Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 26, 2026 · 7 min read

NarwhalRAT: North Korea Hijacks Microsoft Email Alerts

APT37 (ScarCruft) compiled a new Python based backdoor on April 30, 2026 and deployed it weeks later via spear phishing emails impersonating Microsoft Account security alerts — targeting any organization running Microsoft 365.

APT37 compiled NarwhalRAT on April 30, 2026 — just weeks before deploying it against targets whose inboxes receive the one type of email employees are trained never to ignore: a Microsoft security alert.

Key Takeaways

  • APT37 (ScarCruft), a North Korean state-sponsored threat actor active since at least 2012, deployed NarwhalRAT in a targeted spear phishing campaign beginning in June 2026.
  • NarwhalRAT is a Python based RAT with 30+ command prefixes capable of keylogging, screen capture, microphone recording, USB data exfiltration, and in-memory PE execution.
  • The lure email impersonates a legitimate Microsoft Account security notification warning of abnormal OTP activity — the same communication channel Microsoft uses for real account alerts.
  • NarwhalRAT marks a documented departure from APT37's signature RokRAT tooling, suggesting the group is actively expanding and diversifying its malware arsenal.
  • Attribution to APT37 is high-confidence: the pCloud dead-drop resolver, LNK obfuscation pattern, and scheduled task persistence methodology are near-identical to a May 2025 Python backdoor attributed to the same group.

What Is NarwhalRAT?

NarwhalRAT is a Python based, manually-operated remote access trojan first documented by Genians Security Center in June 2026. It is attributed with high confidence to APT37 (also tracked as ScarCruft, Reaper, or InkySquid), a North Korean cyber-espionage unit that has targeted South Korean government, academic, media, and military organizations since at least 2012.

What sets this campaign apart from APT37's previous work is the lure. Prior campaigns leaned on HWP documents — the Korean Hangul word processor format familiar to South Korean government workers — and social media reconnaissance via fabricated Facebook personas. NarwhalRAT arrives inside a ZIP attachment on an email impersonating a Microsoft Account security alert, warning the recipient of "abnormal activity" and repeated OTP generation on their account. The message instructs them to consult the attached advisory. The attachment is not an HWP file. It is a malicious LNK shortcut.

Dark cybersecurity workstation scene showing a fake Microsoft security alert email on screen, representing North Korean APT37 spear phishing attack

How Does the Infection Chain Work?

The execution chain runs five stages, each designed to evade detection at the previous layer.

Stage 1 — LNK execution. The LNK file uses environment variable substring substitution (e.g., %a805aae:~position,1%) to reconstruct and execute a PowerShell command, obfuscating the command line from simple signature detection.

Stage 2 — Python runtime download. A BAT script downloads the official Python 3.10.0 runtime from the legitimate Python distribution server. Using a real, signed installer sidesteps file reputation checks that would flag a custom binary.

Stage 3 — Payload staging. The compiled Python bytecode payload is downloaded disguised as a .cat file and deposited in %APPDATA%\naverwhale — a directory name chosen to masquerade as the Naver Whale browser. Hidden and System attributes are set on the folder.

Stage 4 — In-memory execution. A Python script uses the ctypes module to call VirtualAlloc with PAGE_EXECUTE_READWRITE permissions, then RtlMoveMemory to load the decrypted PE payload directly into memory. No compiled executable lands on disk in the final stage.

Stage 5 — Persistence. A Windows scheduled task named MicrosoftUserInterfacePicturesUpdateTackMachine executes the disguised Python payload every minute. The task name is long enough to pass a casual glance in Task Scheduler and anchored to "Microsoft" terminology to blend with legitimate system tasks.

What Can NarwhalRAT Do Once Running?

NarwhalRAT implements over 30 command prefixes across several capability categories:

  • Keylogging — captures all keystrokes
  • Screen capture — periodic or on-demand screenshots
  • Audio recording — microphone access for ambient surveillance
  • USB/removable storage collection — copies files from connected drives to a local staging path before exfiltration
  • Window enumeration — monitors active application windows; notably filters for KakaoTalk (South Korea's dominant messaging platform), indicating operationally targeted interest
  • Remote command executioncmd: and cmdadm: prefixes for shell access, plus remote mouse control
  • Dynamic C2 reconfiguration — the cmserver: command allows operators to change the active C2 address at runtime without reinfecting the host

Configuration is stored in %LOCALAPPDATA%\Microsoft\Internet Explorer\<random>.ent, AES-128 encrypted using Windows CryptoAPI.

What Is APT37's C2 Architecture?

APT37 has built a dual-layer command and control structure that makes infrastructure takedowns harder to operationalize.

Primary relays are Korean-hosted HTTP servers: daehoat[.]com, novel21.co.kr, webhostingkorea[.]com, crwellfood[.]com, and fe01.co.kr.

Dead-drop resolver via pCloud. Rather than hardcoding the actual C2 IP, NarwhalRAT retrieves the live C2 address from a pCloud API call (folderid= and auth= parameters). The pCloud file is updated by operators when infrastructure rotates. This means that blocking the C2 IP does not kill the implant; the operator simply updates the pCloud entry and all live implants re-resolve. Genians notes that pCloud infrastructure reuse is "one of the characteristics repeatedly mentioned in past APT37-related activity."

This is the third documented APT37 campaign in 2026. NarwhalRAT represents a third distinct tool now in active rotation alongside RokRAT and BirdCall, suggesting the group is maintaining parallel development pipelines to complicate malware-based attribution.

Why Should Microsoft 365 Users Care?

The attack surface here is a Microsoft Account security alert — one of the most trusted email formats in enterprise environments. Organizations spend significant effort training employees to act on Microsoft security notifications: enable MFA, review sign-in activity, reset compromised credentials. APT37 has inverted that conditioning. The behavioral reflex to open a Microsoft security email and follow its instructions is exactly what the lure weaponizes.

Microsoft 365 had approximately 400 million paid seats as of 2024. Every organization whose workforce uses M365 is a plausible target. The lure does not require the recipient to visit a phishing page or enter credentials — they need only open a ZIP attachment and execute what appears to be a document shortcut.

Python based implants loaded in-memory via ctypes do not present as traditional PE executables to endpoint detection tools tuned for compiled malware. The use of the official Python runtime — signed, downloaded from python.org — means the downloader stage passes file reputation checks that would catch a custom loader. For broader context on how North Korean and other state actors are using AI to accelerate offensive campaigns, see the Five Eyes AI cybersecurity joint advisory from June 2026.

Detection and Hunting Guidance

Based on the Genians technical analysis, the following detection signals are actionable:

  • LNK → cmd.exe → BAT → PowerShell chains with environment variable substring substitution in the batch stage
  • Python ctypes calls to VirtualAlloc with PAGE_EXECUTE_READWRITE — this combination is rare in legitimate Python applications
  • Scheduled tasks that create Hidden+System attributed directories under %APPDATA% or C:\Users\Public\
  • pCloud API requests with folderid= and auth= parameters from endpoints where pCloud is not a sanctioned application
  • naverwhale directory creation under %APPDATA%
  • .ent file creation in %LOCALAPPDATA%\Microsoft\Internet Explorer\

Compile timestamp for the PE payload: 2026-04-30 18:07:49 KST. Key MD5 hashes: 3715092aa00f380cefe8b4d2eddb7d08, 7cef19f9c4480adac0cd4702ff98f46c, b6b0602310bb2d4360c52685119aac1b. APT37's anti-analysis also includes CPUID-based hypervisor detection for VMware, VirtualBox, and Parallels — meaning sandbox detonation in those environments may produce a clean result.

The NarwhalRAT campaign is a reminder that the most effective phishing lures do not fake urgency — they borrow it from the institutions their targets already trust. The same pattern appears in Russian operations: Turla's STOCKSTAY backdoor, disclosed by Google Cloud Threat Intelligence in late June 2026, uses spear-phishing emails as its initial access vector before routing C2 through GitHub and Dropbox — a reminder that cloud-hosted infrastructure is now the evasion layer of choice across multiple nation-state actors simultaneously.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.